All 50 states have enacted their own version of a data breach notification statute requiring notice to affected individuals and/or regulatory bodies in the event of data loss, unauthorized data access or data exfiltration of personally identifiable information (“PII”). Many states, however, do not require such notification when the data at issue is encrypted. But what “encryption” requirements trigger this “safe harbor” provision? Each state’s answer to this question is slightly different. Some states exclude…

One of the biggest risks to data security is lack of vendor (third-party) and vendor subcontractor (fourth-party) management. Companies can mitigate ever-increasing vendor data security risk through purchasing appropriate cyber insurance and implementing a vendor risk management program that includes processes for systematically conducting due diligence and contract negotiations. If primary vendors are not properly assessed, or controls are not placed on subcontractors (i.e., “fourth parties”) that may be used to render primary vendors’ services,…

The SEC’s recent enforcement action and settlement with Altaba (formerly known as Yahoo) over the company’s major data breach provides a suggested roadmap for how companies may want to proactively approach data breach issues. Some major takeaways are: (1) companies should have effective controls in place to assess disclosure obligations; (2) known cyberattacks should, when appropriate, be included in disclosures in public filings; and (3) if known cyberattacks have a material impact on the business,…

With Alabama’s recent enactment of the Alabama Data Breach Notification Act of 2018 (“Act”), all 50 states now have their own data breach reporting statutes. Given the complexity of the current U.S. data breach reporting regime, which also includes statutory reporting obligations in jurisdictions like Puerto Rico and the District of Columbia, businesses with customers in more than one state must coordinate with advisors who have experience navigating this patchwork quilt of statutes. On March…

Everyone has been to a lot of presentations, read articles and evaluated the General Data Privacy Regulation (“GDPR”) – yet many questions remain. Many companies continue to struggle with determining whether (1) the GDPR applies to them and, if so, (2) what can be done before the May 25th compliance deadline. It is not too late to have these questions answered when working with experienced counsel who can navigate the issues at hand. For instance, possession…

Both large and small companies can be overwhelmed by the volume of records that they create both in paper and electronic formats. What does your company do with this mountain of paper and electronic records? How long should your company retain and archive such records when considering the myriad of complex federal record retention requirements, state-specific record retention requirements and other government agency standards? A blanket indefinite retention and storage policy related to all of…